21 December 2014

As 2014 comes to a close and we look into the future of 2015 it is time to reflect. After 1000+ blog posts on the topic and discipline of Operational Risk Management (ORM) it seems like a blur. To start off this final post for the year, we looked back on our last post in December 2013. It is amazing to see how accurate many of our forecasts were for 2014.

Here are some of the Operational Risk Management blog posts that had the most page views this past year:

Now for the ORM forecast. 2015 will provide new opportunity and a positive outlook not
seen since 2007. The global investors are still bullish on the
possibilities for long-term growth. The religious wars will continue to
spark new regional conflicts, yet the super powers will continue to
find common ground. Resilience to systemic failures will define what
countries emerge, as the next tier of global influence.

At the end of the day, we are all the same. Love for our family
and the constant anxiety of providing a safe, secure and nourishing
environment for them to live out their days. As we close our eyes each
night to try to sleep, we plan our next day on managing the "Operational
Risks" in our path ahead.

14 December 2014

The rules of the game may have changed across the corporate landscape. Corporations that have been proactive in the management of Operational Risks, are making headlines in the published press. There is a race to build new 100,000 Sq. Ft. data centers around the globe, in order to satisfy the insatiable competitive appetite of bandwidth hungry enterprises:

The studio behind the “Spider-Man” franchise and “The Social Network” has taken technological countermeasures to disrupt downloads of its most sensitive information, which was exposed when a hacking attack crippled its systems in late November.

The company is using hundreds of computers in Asia to execute what’s known as a denial of service attack on sites where its pilfered data is available, according to two people with direct knowledge of the matter.

Sony is using Amazon Web Services, the Internet retailer’s cloud computing unit, which operates data centers in Tokyo and Singapore, to carry out the counterattack, one of the sources said. The tactic was once commonly employed by media companies to combat Internet movie and music piracy.

In one of the most devastating cyber security breaches in recent memory, a hacking group calling itself Guardians of Peace claimed to have stolen just under 100 terabytes of Sony Pictures’ financial information, budgets, payroll data, internal emails and feature films and has slowly leaked portions of it to public file-sharing sites such as PasteBin.

The cyber war has been facilitated by the rise of substantial new digital weapons and the cloud-based compute power to make it all happen. The question is not who is behind the latest DoS of "PasteBin" as much as when the next Stuxnet-like design will gain favor, by a private sector organization. You see, the use of sophisticated offensive cyber malware is not new. No different than conventional chemical weapons that are developed by nation states, the variants and new "Zero Days" ultimately could end up in the hands of militias and clandestine dark sites on the net for sale.

Before Stuxnet, most of America’s military and intelligence cyber-operations focused on stealing or distorting data, or used cyber-tools to help direct U.S. weapons. Stuxnet was envisioned by U.S. officials as a replacement for a conventional weapon. Using a computer virus or worm to gum up the works of something from within would provide an alternative to, say, destroying a nuclear facility from the air. Stuxnet appears to have done that. “Stuxnet stands alone as the only known cyberattack to have caused physical destruction to a system,” Zetter writes.

The physical digital copying, erasure or even encryption of corporate data, that then becomes the focus of an extortion plot, is the Operational Risk Management (ORM) business problem that remains on your Board Room doorstep. The Sony Board of Directors now understand the liability of dealing with a $100 million plus incident, as an adverse material event, spawned from the cyber domain. The rules of the digital game have changed. Now what can be done about this particular wake up call?

Besides getting your outside counsel ramping up for a tremendous cache of billable hours and your Information Governance Teams burning the midnight oil, the future strategy is now evolving. How many digital files in your corporation contain proprietary Intellectual Property (IP)? If you don't know the answer, then we recommend that you start counting. You need to figure out what the value is, of all this data and for good reason. At the other end of the Operational Risk spectrum are the SEC regulatory issues in the U.S.. Jeffrey Carr explains here:

“Consistent with the Regulation S-K Item 503(c) requirements for risk factor disclosures generally, cybersecurity risk disclosure provided must adequately describe the nature of the material risks and specify how each risk affects the registrant. Registrants should not present risks that could apply to any issuer or any offering and should avoid generic risk factor disclosure.”

The value of your particular organizations Intellectual Property can then be compared against the requirements for your IP, on a global basis. What countries or companies are spinning up Research & Development operations in the same IP space that your organization is operating in? What U.S. companies are encouraged to relocate a manufacturing plant overseas? Why is this significant? The correlation is that if there are a rising number of foreign R&D labs focused on your particular category of IP, then you can guess that your company is going to be a substantial target for sustained industrial espionage. Regulatory burdens exist and yet may not be the greatest risk.

When there is not enough time or money to infiltrate your organization with insider human assets, then the outsourcing of digital theft campaigns will begin, or a combination of insider theft operations in cooperation with outsourcing. The hackers-for-hire trade, is larger than you may know. How much do you think a nation state would pay for a "Stuxnet" Zero Day on the open market in todays U.S. dollars? Mid to high six figures. Not likely. 7 or 8 figures is getting closer.

While the malware designed for the exfiltration of data from Sony Pictures is different than Stuxnet's design to disrupt a specific type of Siemens Controller for a certain IR-1 centrifuge, the intent and motive may be quite similar. To disrupt and destroy the capabilities of your adversary. Now the question for Sony is whether this was a nation state or simply a "disgruntled insider," or possibly both that can be attributed to the sabotage attack.

The complexity and the longevity of the risk is evident. The magnitude and the impact of the destruction is apparent. Are you sure you don't have an Insider Threat? See appendix C here:

This fourth edition of the Common Sense Guide to Mitigating Insider Threats provides the most current recommendations of the CERT® Program (part of Carnegie Mellon University's Software Engineering Institute), based on an expanded database of more than 700 insider threat cases and continued research and analysis. It introduces the topic of insider threats, explains its intended audience and how this guide differs from previous editions, defines insider threats, and outlines current patterns and trends. The guide then describes 19 practices that organizations should implement across the enterprise to prevent and detect insider threats, as well as case studies of organizations that failed to do so. Each practice includes features new to this edition: challenges to implementation, quick wins and high-impact solutions for small and large organizations, and relevant security standards. This edition also focuses on six groups within an organization-human resources, legal, physical security, data owners, information technology, and software engineering-and maps the relevant groups to each practice. The appendices provide a revised list of information security best practices, a new mapping of the guide's practices to established security standards, a new breakdown of the practices by organizational group, and new checklists of activities for each practice.

01 December 2014

The effective implementation of Operational Risk Management (ORM) requires two types of courage; both physical and moral. What are some examples? "Physical Courage" is the act by an individual to run into the burning building to save those caught on the upper floors. "Moral Courage" is the decision to finally expose the multi-year fraud scheme executed by the company controller, who happens to be your boss and is a former college class mate.

The courage component is different, yet the same. The existence of fear in a "physical sense" may be harder to overcome since it will expose you to bodily harm and potential death. The fear associated in a "moral sense" will impact your reputation or standing in the community that you live in, or the profession you operate within. This fear could be greater for some than even risking ones own life.

Is it possible to learn and improve your skills for both physical and moral courage? The answer is yes and it has been a factor of education and training for hundreds of years. The goal is to ensure that your organization, enterprise, team or community is learning both and creating effective habits. The continuous and repetitive exercises to deal with the fear of bodily harm or blowing-the-whistle on your best friend is the bottom line here.

"What are you doing to overcome your fear to save a life? What are you doing to overcome your fear of reputation loss? The ratio of learning both and exercising them in the field or when needed inside the institution, enterprise or government is what is at stake."

Once the education and training programs are in place to learn new skills then the fear of action will diminish, when the time comes. Who do you have coming to work each day who has the balanced ability to carry an adult out of the burning building or simultaneously detect a multi-layered accounts payable scheme?

Unfortunately, these are only two examples of a wide spectrum of courage that is required each day. In New York City or the Sahel, Board Room to the Break Room, from the Class Room to the Conference Room both physical and moral courage will be required. In seconds. The courageous decision you make may cause bodily harm or the end of a career. What are you going to do to learn and train to deal with the fear that you will encounter? What kind of courage will you be called upon to utilize in order to act, to behave correctly and expeditiously?

Operational Risk Management (ORM) is a vital factor in your city, your business and your virtual community. It spans the spectrum of courage from physical to moral. The question remains, will you act when the time and moment arises?

About

Operational Risk is defined as the risk of loss resulting from inadequate or failed processes, people, and systems or from external events. The definition includes legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes exposure to litigation from all aspects of an institutions activities.

"The Only Thing Necessary For Evil To Triumph Is For Good Men To Do Nothing." --E. Burke